CVE-2021-36175 — Cross-site Scripting in Fortinet Fortiwebmanager

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

CNA4.1

EPSS

0.2%

top 58.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiweb Fortinet Fortiwebmanager

Timeline

PublishedOct 6

Latest updateMay 24

Description

An improper neutralization of input vulnerability [CWE-79] in FortiWebManager versions 6.2.3 and below, 6.0.2 and below may allow a remote authenticated attacker to inject malicious script/tags via the name/description/comments parameter of various sections of the device.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5fortinet/fortinet_fortiwebmanagerFortiWebManager 6.0.2 6.2.3

▶NVDfortinet/fortiweb6.0.0 — 6.2.4

🔴Vulnerability Details

GHSA

GHSA-4343-wxmv-4jg6: An improper neutralization of input vulnerability [CWE-79] in FortiWebManager versions 6↗2022-05-24

▶

CVEList

CVE-2021-36175: An improper neutralization of input vulnerability [CWE-79] in FortiWebManager versions 6↗2021-10-06

▶

📋Vendor Advisories

Fortinet

An improper neutralization of input vulnerability [CWE-79] in FortiWebManager versions 6.2.3 and below, 6.0.2 and below...↗2021-10-06

▶